Puper Mac malware 'not a drill' McAfee warns

For Mac users the age of malware peace may be over, warns virus researcher at McAfee, users warned to protect themselves online.

By
Jonny Evans
| 01 Nov 07

Hot on the heels of Intego's declaration of a Trojan Horse exploit affecting Macs comes similar news from McAfee Avert Labs.

McAfee Avert Labs has discovered that the malware family called Puper, which has been plaguing Windows users, is now targeting Mac users.

The description of the exploit - which is given on the blog of virus researcher Allysa Myers - sounds remarkably similar to that of the Trojan Horse announced (and named) last night by Intego.

Mac users are being directed to fake codec websites which host malware that changes the settings on their server, warns McAfee.

"This means that when they attempt to visit a website, the malware is able to re-direct them to another website in the background which could be a phishing site."

The Puper malware family has been "plaguing" Windows users since 2005, McAfee warns. It is the same bug that has recently been reported as installing itself from infected MySpace pages.

At present the malware is surfacing on pornographic websites. Like the Intego bug, McAfee warns that users are led to sites which say they must install a new codec to view the videos they offer.

When the newest Puper fake codec site is accessed by a Mac, the file which is offered is a .DMG file rather than the usual .EXE file one would see on Windows.

Depending on your browser settings, this may run automatically. Once it runs, it begins installing an application called MacCodec.

In the background, a script is created which then creates a scheduled task to change the DNS to point to a malicious server. In effect, instead of getting valid entries for websites like you would expect, you’re now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you.

Avert Labs has identified dozens of different fake codec sites currently serving this Mac malware.

"People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues. This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows," warns Myers.